RFC - Offensive Security Notes
  • Active Directory
    • Enumeration
      • Active Directory Module
        • Enumerating the Domain
        • Enumerating ACLs
      • PowerView 3.0
      • Verify connectivity to domain controller
      • WMI domain enumeration through root\directory\ldap
      • PAM Trust
      • DNS discovery
        • Get-DnsServerZone
    • Privilege Escalation
      • Kerberos Delegation
        • Unconstrained delegation
        • Constrained delegation
        • Resource-based Constrained Delegation
      • Escalating from child to parent domain
      • Abusing inter-forest trust
      • WSUS server abuse
      • ACL Enumeration with PowerView 2.0
    • Persistence
      • Kerberos attacks
        • Golden ticket
        • Silver ticket
      • DSRM (Directory Services Restore Mode)
  • Initial Access
    • VBA Macros
      • Mark-of-the-Web
  • Discovery
    • Juicy files
      • PowerShell history
    • Network Enumeration
      • Network discovery scans
        • Ping scan
      • Nmap
      • Perimeter firewall scanning for open outbound ports
  • Execution
    • WMI
      • Remote code execution using WMI
    • PowerShell
      • C# assembly in PowerShell
        • List load assembly
        • Add-Type
        • UnsafeNativeMethods
        • DelegateType Reflection
        • Reflective Load
    • C# .Net Assembly
      • Process injection
        • Debugging
        • Using VirtualAllocEx and WriteProcessMemory
        • Using NTAPI Undocumented Functions
    • ReverseShells
      • Linux
        • Stabilizing zsh shell
    • Metasploit
      • HTTPs Meterpreter
  • Exploitation
    • Win32 APIs
      • OpenProcess
      • VirtualAllocEx
      • WriteProcessMemory
      • CreateRemoteThread
  • Credential Access
    • Microsoft Windows
      • Windows credential audit and logon types
      • Local credentials (SAM and LSA)
      • Lsass from forensics dump
      • Access Tokens
        • SeImpersonatePrivilege
      • ntds.dit
        • Dumping the contents of ntds.dit files using PowerShell
      • Mimikatz
      • LAPS
  • Lateral Movement
    • Windows Lateral Movement
      • Remote Desktop Protocol (RDP)
      • PowerShell Remoting (PS Remote)
        • Kerberos double hoping
      • Windows Task Scheduler
    • Linux Lateral Movement
  • Persistence
  • Defence Evasion
    • Antimalware Scan Interface (AMSI)
      • Debugging AMSI with Frida
      • PowerShell Bypasses
      • JS/VBA Bypasses
    • PowerShell
      • PowerShell version 2
      • Constrained Language Mode
      • Just Enough Administration (JEA)
      • ScriptBlockLogging
    • Microsoft Defender
    • Anti-virus evasion
      • Evasion and bypassing detection within C#
        • Encryptors
          • Aes encryptor
        • Sandbox evasion
          • Time accelerated checks
    • AppLocker
      • InstallUtil
      • MsBuild
  • Network Pivoting
    • Proxies and port fowarding
      • SSH
      • Metasploit
      • Socat
      • SSH Shuttle
      • Windows netsh command
    • Network discovery and scanning
  • Exfiltration
    • Windows
      • Copy files over SMB
  • Services
    • MS SQL Server
      • Enumeration
      • UNC Path Injection
      • Privilege Escalation
      • Linked Servers
      • SQL Injection
  • Misc
    • CrackMapExec
    • Cheat sheets
Powered by GitBook
On this page
  • Display a list of cmdlets contained in the Defender module
  • Check for running Microsoft Defender services
  • Disable Realtime monitoring altogether
  • References
  1. Defence Evasion

Microsoft Defender

Display a list of cmdlets contained in the Defender module

Get-Command -Module Defender
> Get-Command -Module Defender

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Add-MpPreference                                   1.0        Defender
Function        Get-MpComputerStatus                               1.0        Defender
Function        Get-MpPreference                                   1.0        Defender
Function        Get-MpThreat                                       1.0        Defender
Function        Get-MpThreatCatalog                                1.0        Defender
Function        Get-MpThreatDetection                              1.0        Defender
Function        Remove-MpPreference                                1.0        Defender
Function        Remove-MpThreat                                    1.0        Defender
Function        Set-MpPreference                                   1.0        Defender
Function        Start-MpRollback                                   1.0        Defender
Function        Start-MpScan                                       1.0        Defender
Function        Start-MpWDOScan                                    1.0        Defender
Function        Update-MpSignature                                 1.0        Defender

Check for running Microsoft Defender services

Get-Service SecurityHealthService, WinDefend, Sense, WdNisSvc | Select-Object Name,DisplayName,Status

Get-MpComputerStatus allows you to display the current status of Windows Defender: enabled options, virus definition date and version, last scan time, and others.

To quickly check if Windows Defender is running on your computer and find out the last antivirus definition update date, run the following PowerShell command:

Get-MpComputerStatus | Select-Object -Property Antivirusenabled,AMServiceEnabled,AntispywareEnabled,BehaviorMonitorEnabled,IoavProtectionEnabled,NISEnabled,OnAccessProtectionEnabled,RealTimeProtectionEnabled,AntivirusSignatureLastUpdated

Disable Realtime monitoring altogether

Set-MpPreference -DisableRealtimeMonitoring $true

References

PreviousScriptBlockLoggingNextAnti-virus evasion

Last updated 2 years ago

LogoManage and Disable Windows Defender Using PowerShell – TheITBrosTheITBros